What is Amazon S3
Amazon S3 (Simple Storage Service) is a widely used cloud storage solution, appreciated for its simplicity, flexibility, and cost-effectiveness. Businesses of all sizes rely on S3 for everything from hosting website assets to storing sensitive customer information. However, with this flexibility comes the risk of misconfigurations. A single mistake can expose your data to the internet, leaving it vulnerable to breaches and attacks.
Why S3 Security is Essential
S3 buckets often store sensitive and valuable data, like personal and financial records, making them a prime target for attackers. While S3’s flexibility is one of its biggest strengths, it can also lead to vulnerabilities if configurations aren’t handled carefully. A single misconfiguration could expose your bucket to the internet, putting your business at risk of data breaches, legal troubles, and financial losses.
As businesses increasingly adopt cloud infrastructure, attackers are always looking for opportunities to exploit weaknesses. Securing your S3 buckets isn’t just important—it’s essential to protect your business and maintain your customers' trust.
Configuration Mistakes: A Common but Dangerous Problem
Amazon S3 offers flexible configurations that we all love, but with that flexibility comes the risk of misconfigurations. As humans, we all make mistakes, so misconfigurations are always a possibility. It’s not just something that happens to new developers—even experienced engineers can overlook critical security details. Sometimes it’s negligence, a lack of understanding, or the pressure of project deadlines, where we leave things lax, thinking we’ll secure them later—but that “later” almost never comes. What might seem like a small, harmless oversight today could turn into a significant security loophole for your company tomorrow.
Let’s take a look at three common misconfigurations that attackers frequently exploit—and how you can configure them securely:
-
Publicly accessible buckets
-
Unrestricted bucket policy
-
Overly permissive Access Control Lists (ACLs)
Publicly Accessible Buckets
Making a bucket publicly accessible is one of the quickest ways to allow external users or applications to access your data. And let’s admit it—it’s tempting when you’re busy and have bigger things on your plate. But leaving a bucket publicly accessible is one of the most critical mistakes you can make. It allows unauthorized parties to view, download, or even modify your content without any authentication.
Let’s go over how to block public access and ensure only authenticated users can access your bucket contents.
In the AWS Management Console:
-
Go to S3 service and open the bucket you want to restrict.
-
Navigate to the Permissions tab.
-
Under Block public access (bucket settings), ensure the following checkboxes are selected:
-
Block public access to buckets and objects granted through new access control lists (ACLs)
-
Block public access to buckets and objects granted through any access control lists (ACLs)
-
Block public access to buckets and objects granted through new public bucket or access point policies
-
Block public and cross-account access to buckets and objects through any public bucket or access point policies
-
Once done, verify that Block all public access is turned green.
Unrestricted Bucket Policy
The bucket policy defines who can access your bucket and what actions they can perform. You can edit the bucket policy under the same Permissions tab. Below are examples of bad and good policies.
Bad policy 1
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:s3:::example-name/*"
}
]
}
This policy allows anyone to perform any action on your bucket.
Bad policy 2
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-name/*"
}
]
}
This policy allows open access to all objects in the bucket. Even if you intend to make some assets public (like profile pictures), you should keep the bucket private and use AWS CloudFront to expose those assets.
Bad policy 3
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::example-name/*"
}
]
}
This policy allows anyone to upload files to your bucket, which could lead to abuse, and unwanted cost.
Good policy
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/example-user"
},
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::example-name/*"
}
]
}
This policy restricts access to a specific IAM user, allowing only a predefined set of actions (like reading, uploading, or deleting objects). You can also use IAM roles depending on whether it’s an application or a human user.
Overly permissive Access Control Lists (ACLs)
Access Control Lists (ACLs) were historically used to manage S3 access but are now considered outdated. It’s better to use Bucket Policies for access control. If your bucket uses ACLs, disable them and transition to a Bucket Policy.
Steps to Disable ACLs:
-
Go to the bucket’s Permissions tab.
-
Under Object Ownership, select ACLs disabled (recommended).
-
Click Save changes.
By disabling ACLs, you’ll ensure a more secure and modern approach to managing bucket access.
Final Thoughts
Amazon S3 is a versatile and powerful tool, but it requires attention to detail when configuring its security. Misconfigurations can turn into costly mistakes, but by understanding these common vulnerabilities and following best practices, you can secure your buckets and keep your data safe from unauthorized access.
How to Keep Track of Which S3 Buckets Are Secure and Which Are Not
Securing your Amazon S3 buckets is critical, but keeping track of which buckets are properly configured and which ones might be at risk can quickly become overwhelming.
That’s where GuardKite comes in. GuardKite makes it easy to monitor the security of your S3 buckets by automatically scanning for vulnerabilities like public access, overly permissive policies, and missing encryption. With real-time alerts and actionable insights, you’ll always know the status of your buckets and how to fix any issues before they become a problem.
With GuardKite, you can gain clear visibility into your S3 bucket configurations and address vulnerabilities proactively to ensure your data stays secure.
Get started with GuardKite - https://app.guardkite.com/.
